Error: 400 :: urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem

I have been getting dns error for about 10 hours, but there is no dns problem on my server. can you help me?

2021/02/08 01:02:07 [INFO] [ircsayfam.com, www.ircsayfam.com] acme: Obtaining SAN certificate
2021/02/08 01:02:08 [INFO] [ircsayfam.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10686592941
2021/02/08 01:02:08 [INFO] [www.ircsayfam.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10686592942
2021/02/08 01:02:08 [INFO] [ircsayfam.com] acme: Could not find solver for: tls-alpn-01
2021/02/08 01:02:08 [INFO] [ircsayfam.com] acme: use http-01 solver
2021/02/08 01:02:08 [INFO] [www.ircsayfam.com] acme: Could not find solver for: tls-alpn-01
2021/02/08 01:02:08 [INFO] [www.ircsayfam.com] acme: use http-01 solver
2021/02/08 01:02:08 [INFO] [ircsayfam.com] acme: Trying to solve HTTP-01
2021/02/08 01:02:41 [INFO] [www.ircsayfam.com] acme: Trying to solve HTTP-01
2021/02/08 01:03:25 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10686592941
2021/02/08 01:03:25 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10686592941
2021/02/08 01:03:26 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10686592942
2021/02/08 01:03:26 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10686592942
2021/02/08 01:03:26 Could not obtain certificates:
        error: one or more domains had a problem:
[ircsayfam.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem: query timed out looking up A for ircsayfam.com, url:
[www.ircsayfam.com] acme: error: 400 :: urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem: SERVFAIL looking up A for www.ircsayfam.com - the domain's nameservers may be malfunctioning, url:
Certificate generation failed.
2021/02/08 01:03:43 [INFO] [kafadarsohbet.net, www.kafadarsohbet.net] acme: Obtaining SAN certificate
2021/02/08 01:03:44 [INFO] [kafadarsohbet.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10686620571
2021/02/08 01:03:44 [INFO] [www.kafadarsohbet.net] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10686620575
2021/02/08 01:03:44 [INFO] [kafadarsohbet.net] acme: Could not find solver for: tls-alpn-01
2021/02/08 01:03:44 [INFO] [kafadarsohbet.net] acme: use http-01 solver
2021/02/08 01:03:44 [INFO] [www.kafadarsohbet.net] acme: Could not find solver for: tls-alpn-01
2021/02/08 01:03:44 [INFO] [www.kafadarsohbet.net] acme: use http-01 solver
2021/02/08 01:03:44 [INFO] [kafadarsohbet.net] acme: Trying to solve HTTP-01
2021/02/08 01:04:16 [INFO] [www.kafadarsohbet.net] acme: Trying to solve HTTP-01
2021/02/08 01:05:01 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10686620571
2021/02/08 01:05:01 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10686620571
2021/02/08 01:05:01 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10686620575
2021/02/08 01:05:02 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/10686620575
2021/02/08 01:05:02 Could not obtain certificates:
        error: one or more domains had a problem:
[kafadarsohbet.net] acme: error: 400 :: urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem: SERVFAIL looking up A for kafadarsohbet.net - the domain's nameservers may be malfunctioning, url:
[www.kafadarsohbet.net] acme: error: 400 :: urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem: query timed out looking up A for www.kafadarsohbet.net, url:
Certificate generation failed.
2 Likes

hey

MASTER DCV: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (During secondary validation: DNS problem: SERVFAIL looking up A for ankaraokey.org - the domain's nameservers may be malfunctioning) 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (During secondary validation: DNS problem: SERVFAIL looking up TXT for _acme-challenge.ankaraokey.org - the domain's nameservers may be malfunctioning)

I am having the same problem. What can be the problem?

2 Likes

Thanks for posting this output and bringing it to our attention. The Let's Encrypt team is looking at our secondary validation servers for problems. We've opened a status page and will post updates there.

https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/6021d6b0387c0e053a136168

3 Likes

Yes I have the same problem.

[alanyaweb.net] acme: error: 400 :: urn:ietf:params:acme:error:dns :: During secondary validation: DNS problem: 
SERVFAIL looking up A for alanyaweb.net - the domain's nameservers may be malfunctioning,
url:[[www.alanyaweb.net](http://www.alanyaweb.net)] 
acme: error: 400 :: urn:ietf:params:acme:error:dns :: 
During secondary validation: 
DNS problem: SERVFAIL looking up A for [www.alanyaweb.net](http://www.alanyaweb.net) - the domain's nameservers may be malfunctioning, url:
Certificate generation failed.

We cannot get SSL in any way, I wonder if there is a way to get it :frowning:

Hi @sekershell,

Are you the DNS host for all the affected domains? We're wondering if there may be a connectivity problem between our secondary validation viewpoints (in AWS EC2) and your nameservers. Are you able to reach AWS hosts from your nameservers? Do you have any firewall rules that might be blocking access from EC2?

2 Likes

Your hands look healthier.

I wish you good work.

I have to say I'm curious if it's related to AWS's recent implementation of RPKI. Probably completely unrelated, though.

2 Likes

I'm taking this to mean "your servers look healthier." Is that accurate?

I checked some of the involved hostnames in crt.sh and found they had successful issuances yesterday, so the issue seems resolved. We currently believe this was a temporary reachability issue between our secondary validation viewpoints and sekershell's hosts, and did not impact other hosts as far as we can tell. We've closed out the statusio.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.